summaryrefslogtreecommitdiffstats
path: root/tests/py/inet
Commit message (Collapse)AuthorAgeFilesLines
* tests: py: check more flag match transformations to compact syntaxHEADmasterPablo Neira Ayuso3 days3-0/+193
| | | | | | Add a few more tests to extend coverage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: tcp flags & (fin | syn | rst | ack) == synPablo Neira Ayuso3 days3-0/+36
| | | | | | Add a test case to cover translation to tcp flags syn / fin,syn,rst,ack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: skip flags / mask notation for singleton bitmaskPablo Neira Ayuso3 days3-0/+31
| | | | | | | | Do not transform 'tcp flags & flag == flag' to 'flag / flag'. The parser does not accept this notation yet. Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: idempotent tcp flags & syn != 0 to tcp flag synPablo Neira Ayuso4 days3-0/+25
| | | | | | Add a test to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disallow negation with binary operationPablo Neira Ayuso4 days1-0/+1
| | | | | | | | | | | | | The negation was introduced to provide a simple shortcut. Extend e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") to disallow negation with binary operations too. # nft add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) ! syn' Error: cannot combine negation with binary expression add rule meh tcp_flags tcp flags & (fin | syn | rst | ack) ! syn ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: incorrect netlink bytecode with binary operation and flagsPablo Neira Ayuso4 days3-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft generates incorrect bytecode when combining flag datatype and binary operations: # nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn' ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] Note the double bitwise expression. The last two expressions are not correct either since it should match on the syn flag, ie. 0x2. After this patch, netlink bytecode generation looks correct: # nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn' ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: missing != in flagcmp expression print functionPablo Neira Ayuso4 days3-0/+34
| | | | | | | Missing != when printing the expression. Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: missing json update for numeric reject with icmp numericPablo Neira Ayuso4 days1-0/+10
| | | | | | | Add missing tests to cover json support for reject with icmp numeric. Fixes: 1ab1fcbc19a8 ("parser_bison: parse number as reject icmp code") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update new reject with icmp code syntax leftoverPablo Neira Ayuso4 days1-2/+2
| | | | | | | I forgot to update a few more spots in the json files. Fixes: 08d2f0493671 ("src: promote 'reject with icmp CODE' syntax") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: promote 'reject with icmp CODE' syntaxPablo Neira Ayuso5 days3-65/+65
| | | | | | | | | | | | | | | | | | | | | | | The kernel already assumes that that ICMP type to reject a packet is destination-unreachable, hence the user specifies the *ICMP code*. Simplify the syntax to: ... reject with icmp port-unreachable this removes the 'type' keyword before the ICMP code to reject the packet with. IIRC, the original intention is to leave room for future extensions that allow to specify both the ICMP type and the ICMP code, this is however not possible with the current inconsistent syntax. Update manpages which also refer to ICMP type. Adjust tests/py to the new syntax. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: parse number as reject icmp codePablo Neira Ayuso5 days2-0/+5
| | | | | | | | | | | | Extend parser to accept a numeric icmp code, instead of bailing out: # nft add rule inet filter input reject with icmpx type 3 Error: syntax error, unexpected number, expecting string add rule inet filter input reject with icmpx type 3 ^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1555 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add dnat to port without defining destination addressPablo Neira Ayuso9 days3-0/+28
| | | | | | | Add a test to cover dnat to port without destination address. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: memleak in error path of the set to segtree conversionPablo Neira Ayuso2021-06-181-1/+1
| | | | | | | | | | | Release the array of intervals and the segtree in case of error, otherwise these structures and objects are never released: SUMMARY: AddressSanitizer: 2864 byte(s) leaked in 37 allocation(s). Moreover, improve existing a test coverage of this error path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove redundant test casesFlorian Westphal2021-06-0724-1788/+0
| | | | | | | | | | | | | Check for ... 23-42 ... ... { 23-42 } ... and remove the latter. Followup patch will translate the former to the latter during evaluation step to avoid the unneded anon set. A separate test case will be added that checks for such rewrites. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct: prefer normal cmpFlorian Westphal2021-06-073-12/+5
| | | | | | | | Followup patch will replace the { 1.2.3.4 } with single cmp, so this will cause an error when the netlink dump gets compared. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: fix parse of flagcmp expressionFlorian Westphal2021-06-021-0/+27
| | | | | | | | | | | | The json test case for the flagcmp notation ('tcp flags syn,fin / syn,fin') fails with: command: {"nftables": [{"add": {"rule": {"family": "ip", "table": "test-ip4", "chain": "input", "expr": [{"match": {"left": {"&": [{"payload": {"field": "flags", "protocol": "tcp"}}, ["fin", "syn"]]}, "op": "==", "right": ["fin", "syn"]}}]}}}]} internal:0:0-0: Error: List expression only allowed on RHS or in statement expression. internal:0:0-0: Error: Failed to parse RHS of binop expression. internal:0:0-0: Error: Invalid LHS of relational. internal:0:0-0: Error: Parsing expr array at index 0 failed. internal:0:0-0: Error: Parsing command array at index 0 failed. Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Implement SCTP Chunk matchingPhil Sutter2021-05-193-0/+670
| | | | | | | | Extend exthdr expression to support scanning through SCTP packet chunks and matching on fixed fields' values. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* parser_bison: add shortcut syntax for matching flags without binary operationsPablo Neira Ayuso2021-05-162-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following shortcut syntax: expression flags / flags instead of: expression and flags == flags For example: tcp flags syn,ack / syn,ack,fin,rst ^^^^^^^ ^^^^^^^^^^^^^^^ value mask instead of: tcp flags and (syn|ack|fin|rst) == syn|ack The second list of comma-separated flags represents the mask which are examined and the first list of comma-separated flags must be set. You can also use the != operator with this syntax: tcp flags != fin,rst / syn,ack,fin,rst This shortcut is based on the prefix notation, but it is also similar to the iptables tcp matching syntax. This patch introduces the flagcmp expression to print the tcp flags in this new notation. The delinearize path transforms the binary expression to this new flagcmp expression whenever possible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing relational operation on flag listPablo Neira Ayuso2021-05-023-0/+27
| | | | | | | | | | | | | | | Complete e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") which was missing comma-separated list of flags. This patch provides a shortcut for: tcp flags and fin,rst == 0 which allows to check for the packet whose fin and rst bits are unset: # nft add rule x y tcp flags not fin,rst counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: Set NFTNL_SET_DATA_TYPE before dumping set elementsPhil Sutter2021-03-092-4/+4
| | | | | | | | In combination with libnftnl's commit "set_elem: Fix printing of verdict map elements", This adds the vmap target to netlink dumps. Adjust dumps in tests/py accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Adjust payloads for fixed nat statement dumpsPhil Sutter2021-03-092-9/+9
| | | | | | Libnftnl no longer dumps unused regs, so drop those. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add a test sanitizer and fix its findingsPhil Sutter2021-02-0411-212/+24
| | | | | | | | | | | | | | | | This is just basic housekeeping: - Remove duplicate tests in any of the *.t files - Remove explicit output if equal to command itself in *.t files - Remove duplicate payload records in any of the *.t.payload* files - Remove stale payload records (for which no commands exist in the respective *.t file - Remove duplicate/stale entries in any of the *.t.json files In some cases, tests were added instead of removing a stale payload record if it fit nicely into the sequence of tests. Signed-off-by: Phil Sutter <phil@nwl.cc>
* json: Do not abbreviate reject statement objectPhil Sutter2021-02-031-6/+9
| | | | | | | | | No need to reduce output size, also this way output is more predictable. While being at it, drop some pointless chunks from tests/py/bridge/reject.t.json.output. Signed-off-by: Phil Sutter <phil@nwl.cc>
* reject: Unify inet, netdev and bridge delinearizationPhil Sutter2021-01-272-196/+32
| | | | | | | | | | | | | | Postprocessing for inet family did not attempt to kill any existing payload dependency, although it is perfectly fine to do so. The mere culprit is to not abbreviate default code rejects as that would drop needed protocol info as a side-effect. Since postprocessing is then almost identical to that of bridge and netdev families, merge them. While being at it, extend tests/py/netdev/reject.t by a few more tests taken from inet/reject.t so this covers icmpx rejects as well. Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: Fix for changed concatenated ranges outputPhil Sutter2020-12-153-3/+3
| | | | | | | Payload didn't change but libnftnl was fixed to print the key_end data reg of concat-range elements, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-166-13/+13
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove duplicate payloads.Jeremy Sowden2020-11-094-221/+0
| | | | | | | | | nft-test.py only needs one payload per rule, but a number of rules have duplicates, typically one per address family, so just keep the last payload for rules listed more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: avoid warning and add missing json test casesFlorian Westphal2020-11-052-2/+57
| | | | | | make dnat.t pass in json mode. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: json: add missing test case outputFlorian Westphal2020-11-051-0/+74
| | | | | | | | | | | | Fix warnings and errors when running nf-test.py -j due to missing json test case updates. This also makes bridge/reject.t pass in json mode. No code changes. Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q") Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t") Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add missing test JSON output for TCP flag tests.Jeremy Sowden2020-10-122-0/+186
| | | | | | Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: context tracking for multiple transport protocolsPablo Neira Ayuso2020-09-152-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch extends the protocol context infrastructure to track multiple transport protocols when they are specified from sets. This removes errors like: "transport protocol mapping is only valid after transport protocol match" when invoking: # nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80 This patch also catches conflicts like: # nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ and: # nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ Note that: - the singleton protocol context tracker is left in place until the existing users are updated to use this new multiprotocol tracker. Moving forward, it would be good to consolidate things around this new multiprotocol context tracker infrastructure. - link and network layers are not updated to use this infrastructure yet. The code that deals with vlan conflicts relies on forcing protocol context updates to the singleton protocol base. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: added "socket wildcard" testcasesBalazs Scheidler2020-08-293-0/+62
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: unbreak listing with binopsPablo Neira Ayuso2020-08-202-0/+23
| | | | | | | | | | | | | tcp flags == {syn, syn|ack} tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack} results in: BUG: Unknown expression binop nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed. Aborted (core dumped) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.tStefano Brivio2020-05-284-1/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 64b9aa3803dd ("tests/py: Add tests involving concatenated ranges") introduced a rule, commented out, adding an anonymous set including concatenated ranges. Now that they are properly handled, we can enable it. Note that this introduces a new warning. In the output below, '\' marks newlines I introduced to keep lines short: inet/sets.t: WARNING: line 24: \ 'add rule inet test-inet input ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept': \ 'ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept' \ mismatches 'meta nfproto ipv4 ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443} accept' which is similar to the existing warning, also introduced by commit 64b9aa3803dd: inet/sets.t: WARNING: line 23: \ 'add rule inet test-inet input \ ip saddr . ip daddr . tcp dport @set3 accept': \ 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches \ 'meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept' This is mentioned in the commit message for 64b9aa3803dd itself: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. which means that for family inet, 'meta nfproto ipv4' is added to the output of the rule, on top of what was passed as input, but not for families bridge and netdev. For this reason, it's not possible in this case to specify a single expected output, differing from the input, and, also, 'meta nfproto ipv4' can only be passed as input for family inet as it's not relevant for the other families. As an alternative, we could split the rules from this test into tests for the corresponding families, as this test case itself is under the 'inet' directory, but I consider this beyond the scope of this patchset. v2: Enable rule in py/inet/sets.t instead of adding a new test in shell/sets (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tests: py: remove range test with service namesPablo Neira Ayuso2020-04-281-1/+0
| | | | | | | Service names printing are not default these days, using service names with ranges is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: broken error reporting with mappingsPablo Neira Ayuso2020-04-111-0/+2
| | | | | | | | | | | | | Segfault on error reporting when intervals overlap. ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop } Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 Fixes: 4d6ad0f310d6 ("segtree: check for overlapping elements at insertion") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update nat expressions payload to include proto flagsPablo Neira Ayuso2020-03-201-2/+2
| | | | | | | Update tests according to 6c84577b0d23 ("evaluate: add range specified flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Move tcpopt.t to any/ directoryPhil Sutter2020-03-104-719/+0
| | | | | | | Merge tcpopt.t files in ip, ip6 and inet into a common one, they were just marignally different. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add tests involving concatenated rangesPhil Sutter2020-03-105-0/+77
| | | | | | | | | | | | | | | Very basic testing, just a set definition, a rule which references it and another one with an anonymous set. Sadly this is already enough to expose some pending issues: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. * Anonymous sets don't accept concatenated ranges yet, so the second rule is manually disabled for now. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: add bit-shift tests.Jeremy Sowden2020-02-073-0/+29
| | | | | | | | Add a couple of Python test-cases for setting the CT mark to a bitwise expression derived from the packet mark and vice versa. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xfrm: spi is big-endianFlorian Westphal2020-01-141-1/+0
| | | | | | | the kernel stores spi in a __be32, so fix up the byteorder annotation. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing json outputsFernando Fernandez Mancera2019-07-171-0/+25
| | | | | | Fixes: 1188a69604c3 ("src: introduce SYNPROXY matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce SYNPROXY matchingFernando Fernandez Mancera2019-07-173-0/+156
| | | | | | | | | | | | | | | | | | | | Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up two broken json test casesFlorian Westphal2019-07-171-0/+23
| | | | | | | | | Forgot to add a json test case for the recently added ct ip addr in map case. Fix up rawpayload.t for json, it needs to expect new "th dport" when listing. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src/ct: provide fixed data lengh sizes for ip/ip6 keysFlorian Westphal2019-07-122-0/+10
| | | | | | | | | | | | | | | | | | nft can load but not list this: table inet filter { chain input { ct original ip daddr {1.2.3.4} accept } } Problem is that the ct template length is 0, so we believe the right hand side is a concatenation because left->len < set->key->len is true. nft then calls abort() during concatenation parsing. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2019-06-213-6/+3
| | | | | | | | | | | | | | | | | These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: prefer meta protocol as bridge l3 dependencyFlorian Westphal2019-06-192-6/+6
| | | | | | | | | | | | | | | | | | | On families other than 'ip', the rule ip protocol icmp needs a dependency on the ip protocol so we do not treat e.g. an ipv6 header as ip. Bridge currently uses eth_hdr.type for this, but that will cause the rule above to not match in case the ip packet is within a VLAN tagged frame -- ether.type will appear as ETH_P_8021Q. Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer to use this instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "tests: py: remove single-value-anon-set test cases"Pablo Neira Ayuso2019-05-2424-0/+1711
| | | | This reverts commit d03bcb669c0c645190df9bd166f53380bcac7862.
* tests: py: remove single-value-anon-set test casesFlorian Westphal2019-05-1924-1711/+0
| | | | | | | | future change will rewrite all single-element anon sets to a cmp op. Retain a few test cases to later check that the rewrite is correct, but remove all others. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: Fix JSON expected output after expr merge changePhil Sutter2019-05-091-42/+2
| | | | | | | | Looks like original patch missed this one. Fixes: 88ba0c92754d8 ("tests: fix up expected payloads after expr merge change") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>